Recently, I’ve decided to take upon myself a daring new mission – to help those reading my blog to achieve relaxation and peace of mind. You might think I’m planning to instruct you in Yoga or meditation, or perhaps help you obtain prescription medicine or drugs of some kind, but I’m actually talking about the peace-of-mind that you’ll find, when your online identity is protected and your data is securely backed-up.
This mission will be broken into a series of posts starting with this one, which will focus on protecting your online identity. First, let’s begin by understanding the subject.
Identity Theft Background
You might be asking, what does it mean to have your online identity stolen ? Which services will it affect ?
- Email – hacked email accounts will keep their true owners locked out. All their contact information, email correspondence with friends, family and co-workers, may be lost for ever. If they used Gmail, it means that all their other google services accounts, such as Picasa, googleDocs and googleTalk , have been hacked too, and the information stored within them, has been compromised. Not only have they lost access to it, but those hackers can freely distribute that information to whomever, and whenever they like.
- Facebook – A hacked Facebook account means that all your friends, family members and co-workers are now in contact with a hacker instead of you. He will take advantage of this in many ways: He might convince your Facebook friends to give him information they would only give out to you as their friend, or for spite, damage your relationships by writing obscenities, lies or by posting private correspondence that he retrieved from your email account. Those of you who use Facebook as a photo archive face the danger that the hacker will delete all their cherished photos.
- Online Banking – Obviously, one of the most damaging aspects of having your online identity stolen is having your finances open for attack. If you, like many, switched to online banking, supplemented perhaps by pay pal, your hacker might now turn into a thief as well – making money transfers or buying online goods. You can and should expect the worst of the unscrupulous hacker.
- voIP services – Using Skype, Jahjah or countless other voIP services exposes you to numerous dangers. First, many voIP services are connected to your credit card, and the hacker can run up your phone tab. Second, the hacker might use your contact list and assume your identity for fraudulent activities. Third, the same as with Facebook, he can wreak havoc on your relationships.
Those are just a handful of exploits you are exposed to, when you fall victim to online identity theft, but I guess that’s enough of me “scaring the shit out of you !”.
In-order to achieve peace of mind, you need to understand how most identity thefts happen, and what you can do to be protected.
Let me reassure you, although there are numerous ways to steal your identity, most of you are subject to only a couple, and the solution is simpler than you might think.
Example – The ‘Homeless’ Saga
Let’s take for example a very well-known attack that has been exposed a while ago. An Israeli real-estate site called ‘Homeless‘, which helps users rent, buy and sell properties has been hacked by Turkish hackers, and around 40,000 registered user accounts have been compromised. Many of those users probably had their identities stolen too.
The hackers managed to retrieve from ‘homeless’ a list of user accounts, which included both email addresses and passwords used to log into ‘homeless’. Homeless’s first mistake was allowing their website to be hacked, and their database to be stolen. Their second mistake was in keeping users passwords in a clear text form, as opposed to keeping only hashed passwords, which are unreadable and can’t be reversed to learn your original password. Keeping password in clear text means, that anyone gaining or having access to their database, from hackers to company workers, can easily view your password. There is really no excuse for this bad practice, but unfortunately many companies do that exactly ! One way of learning if this is the case with a certain online service, is by attempting a password recovery process. If the system sends you back your password, it could mean trouble. What you are looking for, is a system which does not know your password, and therefore can’t retrieve it. A system like that would issue you a new password instead.
So how does learning your email and password from one site enable a hacker to steal you identity ? well the answer to that is pretty simple – most users use only a few passwords to access all their online services, and usually they are all based on the same password with some variation. Once the hacker has those details, he will first attempt to hack your email account, from which he can usually gather more information to hack other services. First, he will look for registration emails with more login details. Second, he can carry out password recovery operations for any service tied to that hacked email account. Even he does not manage to gather more passwords from your email, he can find the usernames of your online services from registration mails, and with the one password he already has, attempt to access them. If the password does not match, he’ll try variations of the password he has, and a lot of you know, doing that will allow him to hack into many of your online accounts.
Preventing Identity Theft
Now we understand that a broad attack will leave the less weary users, those using only a few, generic and simple passwords at great risks, while users with many complex passwords will be less vulnerable. There are other forms of attacks, but that’s enough information about the attacks for now. Bottom-line, you need to start using different passwords for each online service, and they need to be complex – termed ‘strong’ passwords.
O.K – it’s time for me to make good on my word, and help you achieve the promised bliss and peace of mind. What you are going to do is start using a password manager software that helps you manage and create different, unguessable, strong passwords, for each online service that you use. You might be thinking that switching to strong passwords and many of them at that, is not practical and a hassle, but please have faith that the solution I present here, will be both simple and hassle-free. To accomplish that, it must meet the following requirements:
- One-click automatic login – eliminates the need to type the strong passwords you will now use. Without this, it would be a hassle to type them manually, and this overcomes potential threats from key loggers (It’s alright if you don’t know what key-loggers are, just be glad this offers more security).
- Password Generator with customization – it’s hard to believe how hard it is, to come up with your own complex and random passwords, especially when you need to do this for many services, while conforming to different length and permitted character requirements, that each service imposes.
- Centralized solution on the web so you don’t need to worry about backups, or syncing issues when using multiple PC’s and devices, and it has to be available wherever and whenever you may need it.
- Multi-platform – will work on any device you throw at it. Supports windows, Mac and Linux machines, and various mobile devices: iPhones, windows mobile, blackberry, android and Nokia’s Symbian.
- Multiple browsers integration – plugins available for whichever browser your prefer: IE, Firefox, Safari or Chrome.
- Open – allows you to keep an encrypted local backup, so you can always switch to another solution if you wish.
- Advanced features – Although most of you will not find this relevant, at least not in most situations, I felt it was important, the solution offered advanced features like: multiform authentication, phishing protection, one-time passwords and portable solutions. I will not explain these features in this post, but perhaps dedicate another for them in the future.
LastPass Password Manager
The solution I chose is called ‘LastPass‘ and it answers all the requirements listed above, and then some. Most of their solution is free, and for one dollar a month (12$/yr) you will get their mobile-device applications and advanced features. I suggest you begin with the free version, which you can easily upgrade later.
How to get started with LastPass password manager ?
- Register – Goto https://lastpass.com/create_account.php or first download installation, which will give you the option to register as part of the installation process. In any case it’s best to read the following registration tips:
- Email address – register with the email address that you use most.
- Security Question – Choose a security question that no one can find the answer to, by doing a little research. You type your own question so choose something smart. Your dog’s name or kids birthdays or anything of that nature, is not good enough. Choose something you can’t forget, because it will be used for password recovery, and they are serious about security, so don’t expect any leniency if you aren’t able to recover your password.
- Master Password – the solution is based on you having a master password to unlock your password vault, containing all the login details of your online services. This password should be complex, but I recommend using something that you can remember. Make sure the password you choose has both alphabetical characters and numerical characters, plus special characters such as ‘@’, ‘$’,’ !’, ‘?’.
LastPas will allow you to save your master password in all its different applications, browser plug-ins & extensions, but I recommend that you don’t do that, at least for a while, until you feel the password you chose is engraved in your mind, and won’t be forgotten.
- Download software
- Goto https://lastpass.com/misc_download.php
- There are many LastPass plugins and applications, based on the platform you use. When you choose a platform it will also recommend a plugin for download. If you are on a windows machine it will recommend a universal plugin, that installs on all three major browser: IE, Firefox and Chrome. You should use that or just download the plugin for the browser you use most.
- During the installation, you can either login with the account you created before, or create a new account, if you haven’t done so already.
- Importing logins – you may choose during installation to import your previously saved login details from your browser. I recommend doing so, as this list will be a good starting point for changing all your current passwords to new unguessable, strong passwords.
- After installation a LastPass button will appear in your browser. Use it to open the LastPass menu, giving you access to your password vault, settings, shortcuts and other features.
- Replacing old passwords with strong passwords (View how-to-video instead)
- Use the LastPass button in your browser to access the ‘sites’ menu, which displays a list of all the sites you’ve imported. Clicking on a site will navigate your browser to that service and automatically log you in. If you didn’t choose to import your sites during installation, you may do so at any time by using the ‘import from’ option under ‘tools’. Select your browser from the list and your done !
- Start a ‘change password’ procedure.
- When you need to enter a new password, if the LastPass header isn’t displayed with the ‘generate password’ button you can right-click on the ‘new password’ form field on the site, and you’ll find under the ‘LastPass’ menu item the ‘generate secure password’ option.
- This will open a dialog box with password customization options. It’s obvious that the longer your password is, and the more characters types it has, the stronger and more secure it is. But you can settle for just 12 alphanumeric chars. I’m sure it will still be much more secure, than what you have used until now. By the way, I use 16 chars with both alphanumeric chars and special chars. (Don’t forget, LastPass will fill in passwords automatically, so feel free to create long & complex passwords !)
- Press the ‘accept’ button which will fill in the ‘new password’ field, or copy-paste it inside. I recommend using the ‘accept’ button, which also saves the password independently in your password vault, and will show as ‘generated password for xxxx’, which is good for troubleshooting scenarios.
- Finish the ‘Change Password’ procedure by clicking on a corresponding ‘Save Button’.
- LastPass will present its header at the top of page, acknowledging a password has been changed and pressing the ‘Confirm” button displayed in the LastPass header, allows you to save the new password for that site.
1. Changing an old password to a strong, secure password:
2. Adding an online service to your LastPass passwords vault.
Although LastPass is easy to use, there are still many subjects and features I could not cover in one post. I urge you to begin using this solution, and if you have any questions, feel free to contact me and I promise to help you out.
Be safe & prosper
Other password managers worth mentioning:
- keepass – Free open-source, cross platform solution.
- 1password – Mac based with a beta stage windows application.
- RoboForm – Well-known Windows solution.
- Clipperz– Web based solution.